From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Sun Jun 17 2007 - 11:30:30 ART
Thanks a lot, Muhammad! Acutally, passing CCIE labs, becomes a habit quickly
when you work at IE :) The bad thing is that you may become addicted to the
process ;)
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
2007/6/16, Muhammad Nasim <muhammad.nasim@gmail.com>: > > Congrats Peter on becoming Tripple CCIE : ) > > IE instructors seems to be going excellent these days > > > On 6/16/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote: > > > > In regards to: > > > Here's a quick question: Could you have two P-ports sharing the same > > primary > > VLAN, but having different secondary VLAN mappings? > > > > Yes, you can! > > > > 3560swt001(config)#vlan 850 > > 3560swt001(config-vlan)#private-vlan primary > > 3560swt001(config-vlan)#vlan 851 > > 3560swt001(config-vlan)#private-vlan isolated > > 3560swt001(config)#vlan 852 > > 3560swt001(config-vlan)#private-vlan community > > 3560swt001(config-vlan)#vlan 850 > > 3560swt001(config-vlan)#private-vlan association 851,852 > > 3560swt001(config-vlan)#int fa0/11 > > 3560swt001(config-if)#switchport mode private-vlan promiscuous > > 3560swt001(config-if)#switchport private-vlan mapping 850 add 851 > > 3560swt001(config-if)#int fa0/12 > > 3560swt001(config-if)#switchport mode private-vlan promiscuous > > 3560swt001(config-if)#switchport private-vlan mapping 850 add 852 > > > > It seems that then the promiscuous port only responds to the associated > > PVLANs. (In the above example, vlan 851 isolated hosts can talk to > > fa0/11, but they cannot talk to fa0/12 and vlan 852 community hosts can > > talk to fa0/12, but they cannot talk to fa0/11). > > > > > > ________________________________ > > > > From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr > > Lapukhov > > Sent: Saturday, June 16, 2007 5:09 AM > > To: Mike Kraus (mikraus) > > Cc: Anthony Bonilla; roehsler; ccielab@groupstudy.com > > Subject: Re: quick private vlan question > > > > > > An isolated or community Private Vlan (secondary) can only have ONE > > primary VLAN > > associated with it. > > > > Clearly, PVLAN concept is quite simple, but Cisco implemenation and > > configuration > > is somewhat confusing, with all that mapping and associations :) Here is > > how I explain > > PVlans to myself. > > > > To begin with, let's start with a concept of Private VLAN domain. This > > is the basic entity, > > and what it does, is specifies how an L2 briding domain (an L2 > > broadcast ethernet *cable*) > > is split into *subdomains*. To understand the concept in-depth let's > > imagine that a VLAN > > is a *wire* or *cable* that interconnects many physical *ports*. Next we > > need to loosen the > > concept of a *cable*, to have *subdomains within* and we come with a > > concept of a > > *Private VLAN*. Let's see now how Cisco did it: > > > > First they added different *port types*: > > > > - Isolated (I): Could only communicate with a *funnel* or a Promiscuous > > port. > > - Community (C): Could communicate with it's *buddies* and *funnel* > > (Promisc port). > > - Promiscuous (P): Could communicate with anyone, and is a *funnel*. > > > > <> > > Let's stop for a second and recap that all the drama happens within a > > single L2 domain, > > a single *physical cable* like it was back in 10Base5 days :). So were > > still under the > > chains or MAC addess learning and flooding, and all those subdomains > > have nothing > > to do with L3 yet. > > <> > > > > To provide the required forwarding behavior, special *unidirectional* > > wires are introduced, > > These are new VLAN *types* (private VLANs) that have *different* frame > > forwarding > > behavior than the rugular VLAN does: > > > > - Primary VLAN: forwards frames *downstream* (unidirectional!!) from P > > to I and C ports. > > This is an unidirectional broadcast media to feed traffic from P to all > > other ports, and > > this is how *funnel* feeds all other ports. > > > > Secondary VLANs (upstream feeders): > > > > - Isolated VLAN: forwards frames *upstream* (unidir!) from I ports to P > > ports. There is only > > ONE Isolated VLAN within a Private VLAN domain. > > > > - Community VLAN: forwards frames upstream from C to C ports and from C > > to P ports. > > There could be many Community VLANs within a domain. > > > > OK, so far so good. Now we see that Private VLANs are just an > > unidirectional wires (not quite > > true with Community VLAN, which is only unidirectional with respect to > > C->P traffic flow). Clearly > > this is why we could only bind a Secondary to one Primary VLAN - it's > > just a wire, and we can't > > use it to send multiple traffic feeds. > > > > Let's move stright to the configuration part, and see what every > > configuration step accomplishes: > > > > Step 1: Create Primary and Secondary VLANs and bind them into PVLan > > domain: > > > > ! > > ! Creating VLANs > > ! > > vlan 100 > > private-vlan primary > > > > vlan 101 > > private-vlan isolated > > > > vlan 102 > > private-vlan community > > > > ! > > ! Associating > > ! > > vlan 100 > > private-vlan assoc 101,102 > > > > What this step is needed for, is to group PVLANs into a domain and > > establish > > a formal association (for syntax checking and verifications). > > > > Step 2: > > > > Create Host ports and bind them to the respective PVLANs. Here you set > > up > > *upstream* wires, to connect host ports to all possible Promiscuous > > ports > > (primary VLAN). Note that a host port belongs to different VLANs at the > > same time: > > *downstream* primary and *upstream* secondary. > > > > interface Fast x/y > > switchport mode private-vlan host > > switchport private-vlan host-association 100 101 > > ! > > interface range Fast x/y - z > > switchport mode private-vlan host > > switchport private-vlan host-association 100 102 > > > > Step 3: > > > > Create a promiscuous port, and bind *downstream* mapping. Here you add > > secondary VLANs whose traffic is received by this P port. Primary VLAN > > is > > used to delived traffic downstream to all C/I ports as per their > > associations. > > > > interface Fast x/y > > switchport mode private-vlan promisc > > switchport private-vlan mapping 100 add 101,102 > > > > Here's a quick question: Could you have two P-ports sharing the same > > primary > > VLAN, but having different secondary VLAN mappings? > > > > --- > > > > The last two questions left to be fully explained are mapping L2 PVLAN > > domain to a SVI > > interface on a switch, and interconnecting PVLAN domains on multiple > > switches. I would > > gladly go into details explaining those, if someone would need it. It's > > just that I already > > wrote too much :) Thanks for all your attention. > > > > HTH > > > > -- > > Petr Lapukhov, CCIE #16379 (R&S/Security/SP) > > petr@internetworkexpert.com > > > > Internetwork Expert, Inc. > > http://www.InternetworkExpert.com > > > > > > 2007/6/15, Mike Kraus (mikraus) <mikraus@cisco.com>: > > > > 3560swt001(config)#vlan 850 > > 3560swt001(config-vlan)# private-vlan primary > > 3560swt001(config-vlan)#vlan 851 > > 3560swt001(config-vlan)# private-vlan isolated > > 3560swt001(config-vlan)#vlan 850 > > 3560swt001(config-vlan)# private-vlan association 851 > > 3560swt001(config-vlan)#vlan 860 > > 3560swt001(config-vlan)# private-vlan primary > > 3560swt001(config-vlan)# private-vlan association 851 > > %Command rejected: invalid private vlan association between > > vlan860 and > > vlan851. VLAN 851 is already associated with VLAN 850. > > > > So, as the docs state: "An isolated or community VLAN can have > > only one > > primary VLAN associated with it. " > > > > > > ________________________________ > > > > From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com] > > Sent: Friday, June 15, 2007 10:08 AM > > To: Mike Kraus (mikraus) > > Cc: roehsler; ccielab@groupstudy.com > > Subject: Re: quick private vlan question > > > > > > can you share the whole configs - what is vlan851 configured as? > > > > > > On 6/13/07, Mike Kraus (mikraus) < mikraus@cisco.com > > <mailto:mikraus@cisco.com> > wrote: > > > > Doesn't let you do it: > > > > Switch(config-vlan)#private-vlan association 851 > > %Command rejected: invalid private vlan association > > between > > vlan860 and > > vlan851. VLAN 851 is already associated with VLAN 850. > > > > (3560 running 12.2(35)SE, advanced IP services) > > > > -----Original Message----- > > From: nobody@groupstudy.com > > [mailto:nobody@groupstudy.com] On > > Behalf Of > > roehsler > > Sent: Thursday, May 03, 2007 9:39 AM > > To: Anthony Bonilla > > Cc: ccielab@groupstudy.com > > Subject: Re: quick private vlan question > > > > Hi, > > > > Are you sure? Sorry for the confusion but I just read: > > > > > > > > http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg > > > > /swpvlan.htm > > > > Which states: > > > > A primary VLAN can have one isolated VLAN and multiple > > community > > VLANs > > associated with it. An isolated or community VLAN can > > have only > > one > > primary VLAN associated with it. > > > > Thanks again. > > > > On 5/3/07, Anthony Bonilla < > > anthonybonilla.ccie@gmail.com <mailto:anthonybonilla.ccie@gmail.com> > > > wrote: > > > Yes, you can use the same number for isolated VLANs > > and they > > will > > > still not be able to talk to each other. Thanks. > > > > > > > > > > > > On 5/3/07, roehsler <roehsler@gmail.com> wrote: > > > > Hi, > > > > > > > > Lets say I have multiple primary vlans: > > > > > > > > vlan_2 > > > > vlan_3 > > > > vlan_4 > > > > > > > > And I have one isloated vlan: > > > > > > > > vlan_10 > > > > > > > > Can I use the same isolated vlan in each/all of my > > primary > > vlans? I > > > > think the answer is yes. > > > > > > > > Thanks > > > > > > > > David > > > > > > > > > > > > > > > ______________________________________________________________________ > > > _ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > > > -- > Muhammad Nasim > Network Engineer > SISCOM > Saudi Arabia > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART